A closer look at Digital Certificates
Concise coverage of Digital Certificates and its ecosystem.
Concise coverage on Digital Certificates and its ecosystem. Aim to provide you an overview of what the key concepts are. Basic knowledge of SSL is assumed.
- Types of Certificates based on Validation
- Types of Certificates based on Domain Support
- Certificate Chain / CA Bundle
- Cryptography Data Container Formats (PKCS, PEM)
- Certificate related files (CSR, PFX, CER, CRT etc)
Types of Certificates based on Validation
CAs issue SSL certificate to entities after a set of validations. This validation differs based on what level of trust entities wants to establish with their users.
Domain Validity (DV) Certificates
Most common types of SSL certificates. It needs the lowest form of validation. They are procured when the organizations only want to secure the domain traffic. The CA only verifies that the owner has control over the Web Domain, and does no other background check.
Organization Validated (OV) Certificates
It is a certificate that requires medium level validation but provides more trust. In addition to control over the domain, the CAs will also check what kind of business the organization is in.
Apart from securing the web domain, the OV Certificates can also be used for digitally signing the binary files and documents.
Extended Validation (EV) Certificates
It requires highest level of validation but provides maximum trust. CA does rigorous background check on the organization’s existence, business and legal and operational track records.
Microsoft heavily favors this certification as it mandates it for all Windows 10 drivers. Also, the Smart Screen reputation of any binary is boosted when it is signed with an EV certificate.
Types of Certificates based on Domain Support
There is another categorization of SSL certificates based on the number of domains they secure.
Single Domain Certificate: Only secures one fully-qualified domain. Certificate purchased for google.com will not secure mail.google.com.
Wildcard SSL Certificate: It secures unlimited subdomains for a single parent domain. Wildcard certificate purchased for google.com will secure mail.google.com, drive.google.com, etc
Unified SSL Certificate / Multi-domain Certificate / SAN Certificate: The unified SSL certificate secures many domains using the umbrella of the same SSL certificate. It is widely used to secure servers like Microsoft Exchange.
Certificate Chain / CA Bundle
To get the certificate, the organization need not approach the Root CA directly. There are many retailers in the SSL business who provide SSL certificates on behalf of Root CAs.
These retailers are often called as Intermediate CAs. They need to have their own digital certificates to act like the trusted delegates.
This hierarchy is called the Certificate Chain. They are also referred as the CA Bundle (Collection of Root + Intermediate CAs certificates).
Cryptography Data Container formats
Few data container formats have been widely used in the market to store cryptography related data. They define rules and guidelines on how to store data like public keys, private keys, certificates, CA bundle, etc. These formats are now standardized in the market.
Once such format is PKCS (Public Key Cryptography Standard). It comes in 15 different data container flavours to store 15 different types of data. For example, PKCS flavor 1 defines how to store RSA Private and Public key information along with its mathematical properties in a single data file.
It stands for Privacy Enhanced Mail. Originally designed to provide Email security, but that project never took off. However, the data container format, it defined, lived on.
Note: The PEM format is a general purpose data container. It can store many things like the certificates, private keys, public keys, etc. However, in practice, in the SSL world, all certificate related data have their own chosen format, hence, you would often find them in separate files as explained in the next section.
Certificate Related Files
The certificate granting workflow involves certain special file formats to exchange data between the organization and CA.
- Certificate Signing Request File (CSR)
- Certificate File (CER, CRT, DER)
- Private Key file (PFX)
Certificate Signing Request (CSR) File
To request for a Digital Certificate, the organization must generate and send a CSR file to the CA. This file contains various organization details. It can also contain the Public key of the organization if they choose to generate them at their own premise.
The data format of this file is as defined in PKCS flavor 10.
The file is plain text (BASE64 encoded). If you open the file you would find the CSR content between the — — -BEGIN CERTIFICATE REQUEST — — — and — — -END CERTIFICATE REQUEST — — — statements.
Certificate File (CER, CRT, DER)
Once the CA validates your details from the CSR file, it will assign certificates back to the organization in the form of certificate file.
The certificate comes in two distinct data formats,
- PEM format
PEM formatted files usually have .pem, .crt, .cer extensions. All of them have the same content, the different extensions are provided just for the convenience of the user — some software systems require the CER, CRT extensions and other require the PEM extension.
This file is plain text (Base64 encoded). Each certificate in the PEM file is contained between the — — BEGIN CERTIFICATE — — and — — END CERTIFICATE — — statements.
2. Binary format
Certificate can also be issues in Binary form. These format usually have .der or .cer extensions.
Content in the Certificate
This file contains all the fields defined in the X.509 certificate standard.
The main contents are,
- Public Key of the organization
- Subject (name of the organization, its country, etc)
- Issued by (CA Details)
- Expiry Date, etc
To validate the authenticity of all this information, the CA digitally signs all these details with its own private key. The encryption and hashing algorithm used by the CA during digital signature process will be mentioned in the “Signature” section.
For example, to get the digital signature of this certificate the CA encrypted its content using RSA algorithm, and then hashed it using SHA1 algorithm.
Private Key file (PFX)
This file is used to store the Private key of the organization. The data format of this file is PKCS flavor 12.
This is a password-protected container. It contains data in a binary format.
There are two approaches an organization can take to generate Private-Public key pair for their certificate.
Approach 1: Generate key pair on premise
Organization can generate the key pair at their premise. Keep the private key with themselves. And share the public key with CA to put in the Digital Certificate.
The only drawback of this approach is if the organization happens to lose the private key, you lose all the data encrypted with that private key.
Approach 2: Let CA generate the key pair
Organization can let the CA to generate the key pair for them. In this case, while granting the certificate, the CA will also assign private key to the organization in the PFX file.
The advantage of this approach is you have the backup of your private key with CA who would, presumably, keep it extremely safe with itself.